Requests to destroy data
Can individuals ask us to destroy their personal data in the middle of the research project?
The GDPR creates a host of data subject rights that controllers are bound to uphold when they process personal data. Consistent with exemptions from the purpose limitation and storage limitation principles for research processing, the GDPR carves out exceptions to data subject rights for processing related to research. Exemptions from the right to erasure and the right to object stem directly from the text of the GDPR. Additionally, EU member states may craft exemptions to a number of other rights by appropriate legislation.
Exemptions directly provided in the GDPR:
The GDPR supplies each data subject with the right to have her/his personal data erased when she/he withdraws consent or objects to the processing, as well as when the data are no longer needed for the purpose for which they were first collected. In many cases, complying with this right threatens the integrity of a researcher’s dataset. To address this concern, the GDPR exempts research from the right to erasure insofar as it is “likely to render impossible or seriously impair the achievement of the [research] objectives”. Thus, at least in some cases, researchers may further process personal data for research purposes in spite of a data subject’s request for erasure.
Data subjects retain a right to object to processing, even for research purposes. However, a researcher may override a data subject’s objection if “the processing is necessary for the performance of a task carried out for reasons of public interest”. For a task to be justified by public interest, Recital 45 specifies that it “should have a basis in Union or Member State law.”
Exemptions requiring member state legislative action
The GDPR allows member states or the EU to limit data subject rights to access, rectification, restriction, and the right to object where processing is for research purposes subject to the appropriate safeguards. However, this is not a blanket authority to derogate from these rights. The derogations must be “necessary for the fulfilment of [the research] purposes” and they are only permissible if allowing data subjects to exercise their rights likely would “render impossible or seriously impair the achievement of the specific purposes.” It is expected that the Data Protection Bill in the UK will make some provisions in this regard.
For processing for archiving purposes in the public interest, in addition to the exemptions above, EU member states may provide derogations from the right to data portability and the right to notification that data have been rectified, restricted or erased. So, we need to watch the space on this in the UK.